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18 July 1980 


MEMORANDUM FOR: Chief, ISSG/OS 


FROM: 
Deputy Chief, Information Management Staff 


SUBJECT: Draft Security Requirements for Automated 
Information Systems Located in Overseas 
Installations 


1. We have reviewed your draft on security requirements for 
overseas ADP applications. As CRAFT and other automated 
applications move toward implementation in the field, we are 
particularly anxious to regularize the planning and implementation 
of necessary security for these functions. Therefore, we present 
some comments and observations in the following paragraphs. 


2. In our view, it is essential to place the overall 
responsibility and approval authority for these applications on 
the Deputy Director for Operations. We see ISSG performing a 
critical function in terms of expert guidance and recommendations. 
But it is to be noted that likely NOC needs, certain operational 
applications and cover requirements will sometimes dictate 
applications outside of standardized security criteria. DCID 


- 1/16, for instance, was obviously written with CONUS systems, not 


field, ADP applications in mind. Also, must the Department of 
State, which is also automating overseas posts, honor DCID 1/16 
requirements for themselves, and how do we mesh with State on ADP 
security requirements? 

3. We can foresee that the Office of Communications will 
have a particularly significant role in the security of our 
overseas information systems. Notwithstanding your draft 
recommendation for a qualified ADP systems security officer in the 
field, the DO does not have positions to dedicate to this 
responsibility and, generally speaking, does not envision 
enlarging our overseas personnel strength as we move toward 
automation. It is, accordingly, very likely that the Office of 
Communications personnel in the field will perform many of the ADP 
systems security requirements you foresee. It is to be noted that 
the Office of Communications has already accepted responsibility 
‘for the maintenance of all (Agency Standard) CRAFT equipment to be 
located in DO field posts. Further, it is expected that some 
of the CRAFT equipment involved overseas may be housed in the 
station/base communications facility and thereby be principally 
affected by OC security requirements. 25X1 
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4. We believe the draft should also make mention of the role 
of IMS in the security of overseas information systems. The 
Directorate for Operations has centralized information management, 
with IMS specifically charged to plan, evaluate, test, pay first 
year costs for and install automated information systems in the: 
field. In this respect, we speak for the user area divisions in 
such areas as audit trails, systems software and access controls. 


5. %It would now seem appropriate for representatives from 
ISSG, ODP, the Office of Communications and IMS to review in 
common a number of technical considerations you raise in the 
draft. Some of our technical questions are attached. If you 
agree, we will schedule such a meeting. 


6. In the meantime, where_overseas CRAFT issues are 
involved, please contact Mr. For general 


issues and planning involving automation in = a, please 
contact Ms. 


Attachment: 
As stated 


ce: Director of Communications 
Director of Data Processing 
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Information Management Staff Technical Questions 
Re Draft Security Requirements for Automated 
Information Systems Located in Overseas Installations 


1. Reference Paragraph III.A.2. Clarification is required 
on the unique qualifications necessary for the position of field 
ADP System Security Officer. Under the CRAFT concept, there will 
be no ADP professionals at DO field stations and, therefore, the 
resident ADP knowledge will be superficial at best. 


2. Reference Paragraph IV. If intelligent programmable 
terminals, such as the Delta Data 7000, qualify as ADP systems 
vice user terminals, then this paragraph is considered overly 
restricted in terms of the definition and requirements for an "ADP 
Facility". 


3. Reference Paragraph IV.A.5b. and C.4d. For other 
security or operational reasons, it may be appropriate to have. 


some CRAFT equipment in the communications vault area (not the oc 
25X11 fee It is suggested that this provision be 
reconsidered in view of physical space considerations at the field 


station and the expense of constructing and maintaining two 

separate secure areas. It is recognized that user terminals 

located within the communications vault could cause access control 
problems, but needed access to the minicomputers would be minimal. 
Further, the use of the communications personnel on site to 

perform those functions necessary to place the minicomputer in 

operation may well be the most desirable and efficient utilization 

of station personnel. In this latter case, it would then he 
advantageous to have the minicomputer co-located with the 25X41 
communications center. 
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5. Reference Paragraph IV.D-4b(2).- Reference should be 
provided to the “current security approved destruction procedures" 
for magnetic media. : 


6. Reference Paragraph Iv.D.5a(l). Identification of 
terminals by location will require either modification to standard 
terminals or the development of a TEMPEST approved oO 25X11 
provide this capability. Guidance in this area wil e required. 
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